Stolen Passwords Allowed Hackers to Steal Over One Billion Rubles
A recent report released about a hacker group that has targeted banks and payment systems in Russian and CIS (Commonwealth of Independent States) countries reveals how the criminals steal money from the bank itself, not its customers. Over one billion rubles, or $17 million, have been stolen over the last six months.
Group-IB and Fox-IT jointly researched and released Anunak: APT Against Financial Institutions (PDF), a detailed report about the technical detail of threats to help prevent future information security incidents.
Their research revealed that the one hacker group was able to access 50 Russian banks, five payment systems, and 16 retail companies (most of which were located outside of Russia), as a Fox-IT press release stated. For the attacks in Russia, hackers were able to get access to their email in addition to bank and payment systems, allowing them to monitor whether or not they were detected, and get inside information on any changes in security or infrastructure.
So how did they do it? Here’s a summary of the hacker’s steps:
- Attackers used RDPdoor to get remote access to the bank’s network. According to WeLiveSecurity.com, RDPdoor collects information about an infected system and devices in use. They then use MBR (Master Boot Record) Eraser to remove any traces of their activity and to crack Windows computers and servers.
- After infecting a user’s computer, they were able to get the password of a user with administrative rights on some computers (e.g., a technical support engineer’s password).
- They used those credentials to get access to one server, then compromise the domain administrator password from the server to get access to the domain controller and compromise all active domain accounts.
- Then they get access to email and workflow servers.
- THEN they gain access to banking and server system administrator workstations and install photo and video monitoring software on certain system operators.
- After which, they set up remote access to certain servers, making changes to firewall configurations.
Criminals used three different programs and techniques, Mimikatz, Cain & Abel and SSHD backdoor, to steal passwords and get remote access. This suggests that the successful use of credentials is motivating attackers, and suggests that using a security technology that renders passwords useless is ideal for financial organizations seeking to protect their user, administrator, and server logins.
Of course, two-factor authentication can provide a viable way to deter attackers by requiring a physical device (either a token or a personal smartphone) in order to verify their identity and get access to any computer, server or application. Find out more about two-factor authentication and how the different authentication methods work.
Other attacks against U.S. and European organizations include those in the retail and media/PR sector, as hackers attempted to get insider information in order to gain an advantage on the stock market.
Methods of entry included a crypto-currency malware-dropping botnet that infected retail systems and worked to extract Windows registration, network and domain information, as well as drop additional components on certain systems. Other methods of entry involved spear phishing attempts and SQL injection.
More importantly, moving laterally also often requires the use of credentials - the report found that attackers used Metasploit, a penetration testing software, as a hacking tool. They used port scanning, privilege escalation and credential theft in order to move across different systems and networks. Applying two-factor to user and admin accounts could possibly help deter attackers as they attempt to move from within a company’s network.
Another way to reduce risk of lateral movement is by administering the principle of least privilege, that is, limiting the access of users and admins to the minimum amount and scope of data and applications they need to complete their jobs. Assigning roles and limiting capabilities is another way companies can manage their security solutions, such as with two-factor authentication. Learn more about administrative roles with two-factor authentication.
For more on financial and banking data breaches and security, check out:
Protecting Payment Cards: A Modern Guide to Retail Data Risks
JPMorgan Chase Breach: 83 Million Records Breached by Lack of Two Factor
New POS Vulnerabilities, Malware & Risks to the Retail Industry